IETF Logo Mail Archive

Re: NAT64 in RA, draft-ietf-6man-ra-pref64

David Farmer <farmer@umn.edu> Tue, 02 July 2019 14:05 UTC

Return-Path: <farmer@umn.edu>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0327E1200B6 for <ipv6@ietfa.amsl.com>; Tue, 2 Jul 2019 07:05:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.298
X-Spam-Level:
X-Spam-Status: No, score=-4.298 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=umn.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qcp9ylBaglKo for <ipv6@ietfa.amsl.com>; Tue, 2 Jul 2019 07:05:49 -0700 (PDT)
Received: from mta-p6.oit.umn.edu (mta-p6.oit.umn.edu [134.84.196.206]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A2700120041 for <ipv6@ietf.org>; Tue, 2 Jul 2019 07:05:49 -0700 (PDT)
Received: from localhost (unknown [127.0.0.1]) by mta-p6.oit.umn.edu (Postfix) with ESMTP id F2E0BD2C for <ipv6@ietf.org>; Tue, 2 Jul 2019 14:05:48 +0000 (UTC)
X-Virus-Scanned: amavisd-new at umn.edu
Received: from mta-p6.oit.umn.edu ([127.0.0.1]) by localhost (mta-p6.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bptwWgTT7Uv8 for <ipv6@ietf.org>; Tue, 2 Jul 2019 09:05:48 -0500 (CDT)
Received: from mail-vs1-f71.google.com (mail-vs1-f71.google.com [209.85.217.71]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta-p6.oit.umn.edu (Postfix) with ESMTPS id A7110D21 for <ipv6@ietf.org>; Tue, 2 Jul 2019 09:05:48 -0500 (CDT)
Received: by mail-vs1-f71.google.com with SMTP id v20so4922099vsi.12 for <ipv6@ietf.org>; Tue, 02 Jul 2019 07:05:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umn.edu; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=jLNnICAEFL4W33XQ0LO037u8tFRMkRsbujUNgk1ED7Q=; b=WfirMrOqOgoCtWIgZ6PxOOdmw5r2Umh+ONRLqdBKJ7SLA4OwSS44Z1/aIePO+tQoXw QkJOkWmk9deyTdnXHifjHh8MOioju6DQOWSw2FCV8h9QnbtGyS3ncwp42GF6YeVLi8FE D6lt/ygK2ACBHtaWXeWO/Wi9Xj/Q5Q9F1NSauvumrgxCJ318zEF0Wz9JMtbT1SLZysRY /HB/rYzS2ySkx/x3uXVm5w8d0qUpBdxHaEZcDdz6oONfLs48kV74ummLBV3yJDoRqWSe aGQWqUKJiqiDRwK0IWZHwkLiUpt2/w8Q0opFeDPhbqMGkbLUKNp34RZE5iFwQvrmdF/K YAiQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=jLNnICAEFL4W33XQ0LO037u8tFRMkRsbujUNgk1ED7Q=; b=pzEfqEfd9ENxNHARJZdMYcPJl6EbzSbQLfF9Yd+Y1pT2ZMHO2rb86pGkK5esx8G1wy BYfVz8MS3F6ev0ekouqpDjSEJwgkCcqVk3B6vRSHzeD2jLlu/pG7y9PKZyqGwo3RGFNu 8MHm+fTK7Ds6G+2fqld8jvu9OWanvKl7lba4YZHtEDhiC88Dz08FWWo6NHdHwK8MEgAO 1fkPSL16Cvl2dIrHJzKcCh/ffNLtMI9+9U2w+7cCT1qhSyu+EFbGRquNDBCkoHh9iO3i E1TDY7eL0/yxB1tNS6hoJrrZKm1w45QIKGnDSE76s+za63nYUzBF5j+QTmc/LCWoPBXD htow==
X-Gm-Message-State: APjAAAXqwGKx8/NrvVijUB6ldgMnRG+ZlDcyAnHqlGV82BXLl5Cq5JI1 yTlBtOtt+OEePKAZfdwjIIbLHxWO+jxaKs9H89hcCiSyTqZ0LgV+kkO1LYZ94xMxavQ0h18tE36 Il+gQ/dPwSkN2ICD9ARwuI5zf
X-Received: by 2002:a9f:2650:: with SMTP id 74mr15036093uag.133.1562076347242; Tue, 02 Jul 2019 07:05:47 -0700 (PDT)
X-Google-Smtp-Source: APXvYqx+DrwNBdZDly4KjojGmLJFlI5z7We2HWgJySS1HRRJr61+xytR8i13F9vVo+KQIDdN51L2cttW/zlfwSXXZJw=
X-Received: by 2002:a9f:2650:: with SMTP id 74mr15036061uag.133.1562076346634; Tue, 02 Jul 2019 07:05:46 -0700 (PDT)
MIME-Version: 1.0
References: <12187.1558972629@localhost> <D3C7EB41-02E8-48D6-9335-26A041FD64C2@isc.org> <00C00FE5-C7CD-4B99-A2C9-CCBFCB1E4850@isc.org> <CAFU7BASfJ4YS6xBzK8hNJRSMnFZmdn3VE5A=sPCC3JqRa8SQEQ@mail.gmail.com> <EC63A89D-26CD-4093-8814-4461B6D3D327@isc.org> <CAFU7BASsAwitEc==Zj6qT4izy-tFosg23DHXFVVzOixidEfMFA@mail.gmail.com> <CAKD1Yr3jDTS25ERGZYDDM9yRRTxEfY4Ltcd-QgFNor6ze2G7xA@mail.gmail.com> <6053.1561748461@localhost> <CAFU7BAR9kmnk3Q9aOpsqGFVRZkiRXb0FkZjMXWG2gN0-o1MjGw@mail.gmail.com> <0167874A-F2B4-434A-B674-792FE3AD0E2D@gmail.com> <CAFU7BAT2zw2+EnLW_MZnj2L9RBwH2DyStgRUbaY6bCZLuJwG9g@mail.gmail.com> <CAKD1Yr2mzeVzXFmzh3N21MCr-sg1xJ9D67TPqvEd9YffCrzdqA@mail.gmail.com> <CAN-Dau3qMAH0KAfahjFgN2-mMttmwpM4wEt4vypAxZcvUXB=gQ@mail.gmail.com> <CAKD1Yr3tm==UMQmuiO5EGv=YM1a0VxPa_5_0ywQQrouPo4SgCQ@mail.gmail.com>
In-Reply-To: <CAKD1Yr3tm==UMQmuiO5EGv=YM1a0VxPa_5_0ywQQrouPo4SgCQ@mail.gmail.com>
From: David Farmer <farmer@umn.edu>
Date: Tue, 02 Jul 2019 09:05:30 -0500
Message-ID: <CAN-Dau3K+qUsU3a6n4MCOL0aE36bKJPSWozfB7oxJSembXVCbg@mail.gmail.com>
Subject: Re: NAT64 in RA, draft-ietf-6man-ra-pref64
To: Lorenzo Colitti <lorenzo@google.com>
Cc: Jen Linkova <furry13@gmail.com>, 6man WG <ipv6@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000c0e22c058cb33dbb"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/n_ezh4Y3rVjCA582ziEDHXBwFJE>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Jul 2019 14:05:52 -0000

On Tue, Jul 2, 2019 at 7:51 AM Lorenzo Colitti <lorenzo@google.com> wrote:

> On Tue, Jul 2, 2019 at 9:09 PM David Farmer <farmer@umn.edu> wrote:
>
>> Right. That was the gist of my earlier comment. I believe we all agree
>>> that in the most common deployment scenario (i.e., an IPv6-only host with
>>> no IPv4), an exclusion list is not useful, because the host really can't
>>> reach anything that's not reachable via IPv6.
>>>
>>
>> I mostly agree, but there is a scenario I've been thinking about;
>>
>> What if the network operator doesn't want RFC1918 and RFC 6598 IPv4
>> addresses synthesized at all? I suppose the NAT64 function could block
>> these addresses. However, for a large enough population that could be a lot
>> of useless traffic going to the NAT64 function. While on the other hand
>> some network operators, especially enterprise operators, will probably want
>> these addresses synthesized.
>>
>
> Hmm... but why will hosts want to send traffic to those addresses? Hosts
> (especially IPv6-only hosts) won't just arbitrarily decide to connect to
> RFC1918 addresses of their own accord. They will only do that if there is a
> reason to do so - for example, if there is an A record in the DNS pointing
> at such addresses.
>

You partly answer this below, it happens all the time in IPv4 today. There
is a reason we have AS112, there is a ton of junk out there. Yes, AS112 is
a different problem, but I still think it illustrates the scale of the
problem. RFC1918 addresses are everywhere and they leak everywhere too.


> But why would the network operator publish A records in the DNS for IP
> addresses that it intentionally wants to make unreachable from some hosts?
> What is the reason for doing so compared to obvious alternatives such as a)
> don't publish said A records, or b) publish said A records together with
> corresponding AAAA records?
>

One of the reasons we want this RA option is that clients are configured
with DNS servers not provided by the network operator. So even if the
network operator doesn't put these addresses in their DNS, the client could
be using a DNS server serving these addresses to it. For example, what if
the client is hard configured with an enterprise DNS server? Then there are
all the DNS games VPN clients play.  As I said, the NAT64 function can
block this but then it has to receive the traffic just to drop it. Maybe
it's just the price we have to pay for all the brokenness in IPv4.


> Also, this problem already exists today in IPv4. Any IPv4-only or
> dual-stack host asked to connect to an RFC1918 address will send packets to
> it, regardless of whether the address is reachable and of whether it's in
> the same NAT domain as the host. For example, applications using STUN, such
> as video chat applications, will often try all addresses advertised by the
> remote host, even in the common case that the remote host is in a different
> NAT domain (e.g. video chat between two residential users each of whom is
> behind their own NAT).
>
> Now a complicated APL capability isn't probably needed to handle this, a
>> simple one-bit option flag or two would suffice, I believe.
>>
>
> In the common case of a /96 prefix I don't think there are any bits left
> in the current packet format without increasing the size of the option from
> 16 to 24 bytes.
>
>>
If we don't provide a mechanism to configure this, then clients
implementing this feature MUST synthesize DNS entries for RFC1918 and
RFC6598 IPv4 addresses received in A records, and it is up to the NAT64
function to apply an appropriate local policy for these addresses. I think
other special purpose IPv4 addresses MAY be safely excluded from DNS
synthesize.

Thanks
-- 
===============================================
David Farmer               Email:farmer@umn.edu
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota
2218 University Ave SE        Phone: 612-626-0815
Minneapolis, MN 55414-3029   Cell: 612-812-9952
===============================================

v2.23.0 | Report a Bug | By Email